Noah Kantrowitz wrote: > A possible security issue exists with pooled SQLite connection and the > ATTACH/DETACH statements. Below is a patch that should correct it, can > people test that it doesn't impact performance too much? >
No, the performance doesn't seem to be affected on my testings (getting 1000 days out of my timeline, windows tracd server, wget client on linux). > Index: trac/db/sqlite_backend.py > =================================================================== > --- trac/db/sqlite_backend.py (revision 6324) > +++ trac/db/sqlite_backend.py (working copy) > @@ -174,6 +174,12 @@ > cnx = sqlite.connect(path, detect_types=sqlite.PARSE_DECLTYPES, > check_same_thread=sqlite_version < 30301, > timeout=timeout) > + > + def authz_callback(action, arg1, arg2, dbname, source): > + if action == sqlite.SQLITE_ATTACH or action == > sqlite.SQLITE_DETACH: > The patch seems fine, modulo the need for getting that line shorter (< 80 characters). But be aware that this puts some new requirements on pysqlite, as set_authorizer was only introduced in 2.3.0. So either we keep the patch as it is and update the requirement or we add a test for the pysqlite version. -- Christian --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
